1.4.5.2

EdgeAdmin/internal/web/actions/default/index/index.go

@@ -0,0 +1,274 @@
+package index
+
+import (
+	"fmt"
+	"github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
+	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
+	"github.com/TeaOSLab/EdgeAdmin/internal/oplogs"
+	"github.com/TeaOSLab/EdgeAdmin/internal/rpc"
+	"github.com/TeaOSLab/EdgeAdmin/internal/setup"
+	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/index/loginutils"
+	adminserverutils "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/settings/server/admin-server-utils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/helpers"
+	"github.com/TeaOSLab/EdgeCommon/pkg/configutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/iplibrary"
+	"github.com/TeaOSLab/EdgeCommon/pkg/langs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/langs/codes"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/systemconfigs"
+	"github.com/iwind/TeaGo/actions"
+	"github.com/iwind/TeaGo/lists"
+	"github.com/iwind/TeaGo/rands"
+	"github.com/iwind/TeaGo/types"
+	stringutil "github.com/iwind/TeaGo/utils/string"
+	"net"
+	"time"
+)
+
+const regionDenyMessage = "当前软件系统暂时不为你所在的区域提供服务。"
+
+type IndexAction struct {
+	actionutils.ParentAction
+}
+
+// 首页（登录页）
+
+// TokenKey 加密用的密钥
+var TokenKey = stringutil.Rand(32)
+
+func (this *IndexAction) RunGet(params struct {
+	From string
+
+	Auth *helpers.UserShouldAuth
+}) {
+	if !this.checkRegion() {
+		this.WriteString(regionDenyMessage)
+		return
+	}
+
+	// 是否自动从HTTP跳转到HTTPS
+	if this.Request.TLS == nil {
+		httpsPort, _ := adminserverutils.ReadServerHTTPS()
+		if httpsPort > 0 {
+			currentHost, _, err := net.SplitHostPort(this.Request.Host)
+			if err != nil {
+				currentHost = this.Request.Host
+			}
+
+			var newHost = configutils.QuoteIP(currentHost)
+			if httpsPort != 443 /** default https port **/ {
+				newHost += ":" + types.String(httpsPort)
+			}
+
+			// 如果没有前端反向代理，则跳转
+			if len(this.Request.Header.Get("X-Forwarded-For")) == 0 && len(this.Request.Header.Get("X-Real-Ip")) == 0 {
+				this.RedirectURL("https://" + newHost + this.Request.RequestURI)
+				return
+			}
+		}
+	}
+
+	// DEMO模式
+	this.Data["isDemo"] = teaconst.IsDemoMode
+
+	// 检查系统是否已经配置过
+	if !setup.IsConfigured() {
+		this.RedirectURL("/setup")
+		return
+	}
+
+	//// 是否新安装
+	if setup.IsNewInstalled() {
+		this.RedirectURL("/setup/confirm")
+		return
+	}
+
+	// 已登录跳转到dashboard
+	if params.Auth.IsUser() {
+		this.RedirectURL("/dashboard")
+		return
+	}
+
+	this.Data["isUser"] = false
+	this.Data["menu"] = "signIn"
+
+	var timestamp = fmt.Sprintf("%d", time.Now().Unix())
+	this.Data["token"] = stringutil.Md5(TokenKey+timestamp) + timestamp
+	this.Data["from"] = params.From
+
+	uiConfig, err := configloaders.LoadAdminUIConfig()
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	this.Data["systemName"] = uiConfig.AdminSystemName
+	this.Data["showVersion"] = uiConfig.ShowVersion
+	if len(uiConfig.Version) > 0 {
+		this.Data["version"] = uiConfig.Version
+	} else {
+		this.Data["version"] = teaconst.Version
+	}
+	this.Data["faviconFileId"] = uiConfig.FaviconFileId
+
+	securityConfig, err := configloaders.LoadSecurityConfig()
+	if err != nil {
+		this.Data["rememberLogin"] = false
+	} else {
+		this.Data["rememberLogin"] = securityConfig.AllowRememberLogin
+	}
+
+	// 删除Cookie
+	loginutils.UnsetCookie(this.Object())
+
+	// 检查单体实例是否已经被初始化
+	{
+		settingResp, err := this.RPC().SysSettingRPC().ReadSysSetting(this.AdminContext(), &pb.ReadSysSettingRequest{Code: systemconfigs.SettingCodeStandaloneInstanceInitialized})
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+		if string(settingResp.ValueJSON) == "0" {
+			this.RedirectURL("/initPassword")
+			return
+		}
+	}
+
+	this.Show()
+}
+
+// RunPost 提交
+func (this *IndexAction) RunPost(params struct {
+	Token    string
+	Username string
+	Password string
+	OtpCode  string
+	Remember bool
+
+	Must *actions.Must
+	Auth *helpers.UserShouldAuth
+	CSRF *actionutils.CSRF
+}) {
+	if !this.checkRegion() {
+		this.Fail(regionDenyMessage)
+		return
+	}
+
+	params.Must.
+		Field("username", params.Username).
+		Require("请输入用户名").
+		Field("password", params.Password).
+		Require("请输入密码")
+
+	if params.Password == stringutil.Md5("") {
+		this.FailField("password", "请输入密码")
+	}
+
+	// 检查token
+	if len(params.Token) <= 32 {
+		this.Fail("请通过登录页面登录")
+	}
+	var timestampString = params.Token[32:]
+	if stringutil.Md5(TokenKey+timestampString) != params.Token[:32] {
+		this.FailField("refresh", "登录页面已过期，请刷新后重试")
+	}
+	var timestamp = types.Int64(timestampString)
+	if timestamp < time.Now().Unix()-1800 {
+		this.FailField("refresh", "登录页面已过期，请刷新后重试")
+	}
+
+	rpcClient, err := rpc.SharedRPC()
+	if err != nil {
+		this.Fail("服务器出了点小问题：" + err.Error())
+		return
+	}
+	resp, err := rpcClient.AdminRPC().LoginAdmin(rpcClient.Context(0), &pb.LoginAdminRequest{
+		Username: params.Username,
+		Password: params.Password,
+	})
+
+	if err != nil {
+		err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(0), oplogs.LevelError, this.Request.URL.Path, langs.DefaultMessage(codes.AdminLogin_LogSystemError, err.Error()), loginutils.RemoteIP(&this.ActionObject), codes.AdminLogin_LogSystemError, []any{err.Error()})
+		if err != nil {
+			utils.PrintError(err)
+		}
+
+		actionutils.Fail(this, err)
+		return
+	}
+
+	if !resp.IsOk {
+		err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(0), oplogs.LevelWarn, this.Request.URL.Path, langs.DefaultMessage(codes.AdminLogin_LogFailed, params.Username), loginutils.RemoteIP(&this.ActionObject), codes.AdminLogin_LogFailed, []any{params.Username})
+		if err != nil {
+			utils.PrintError(err)
+		}
+
+		this.Fail("请输入正确的用户名密码")
+		return
+	}
+	var adminId = resp.AdminId
+
+	// 检查是否支持OTP
+	checkOTPResp, err := this.RPC().AdminRPC().CheckAdminOTPWithUsername(this.AdminContext(), &pb.CheckAdminOTPWithUsernameRequest{Username: params.Username})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	var requireOTP = checkOTPResp.RequireOTP
+	this.Data["requireOTP"] = requireOTP
+	if requireOTP {
+		this.Data["remember"] = params.Remember
+
+		var sid = this.Session().Sid
+		this.Data["sid"] = sid
+		_, err = this.RPC().LoginSessionRPC().WriteLoginSessionValue(this.AdminContext(), &pb.WriteLoginSessionValueRequest{
+			Sid:   sid + "_otp",
+			Key:   "adminId",
+			Value: types.String(adminId),
+		})
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+		this.Success()
+		return
+	}
+
+	// 写入SESSION
+	var currentIP = loginutils.RemoteIP(&this.ActionObject)
+	var localSid = rands.HexString(32)
+	this.Data["localSid"] = localSid
+	this.Data["ip"] = currentIP
+	params.Auth.StoreAdmin(adminId, params.Remember, localSid)
+
+	// 清理老的SESSION
+	_, err = this.RPC().LoginSessionRPC().ClearOldLoginSessions(this.AdminContext(), &pb.ClearOldLoginSessionsRequest{
+		Sid: this.Session().Sid,
+		Ip:  currentIP,
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	// 记录日志
+	err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(adminId), oplogs.LevelInfo, this.Request.URL.Path, langs.DefaultMessage(codes.AdminLogin_LogSuccess, params.Username), loginutils.RemoteIP(&this.ActionObject), codes.AdminLogin_LogSuccess, []any{params.Username})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	this.Success()
+}
+
+// 检查登录区域
+func (this *IndexAction) checkRegion() bool {
+	var ip = loginutils.RemoteIP(&this.ActionObject)
+	var result = iplibrary.LookupIP(ip)
+	if result != nil && result.IsOk() && result.CountryId() > 0 && lists.ContainsInt64([]int64{9, 10}, result.CountryId()) {
+		return false
+	}
+	return true
+}

EdgeAdmin/internal/web/actions/default/index/init.go

@@ -0,0 +1,16 @@
+package index
+
+import (
+	"github.com/iwind/TeaGo"
+)
+
+func init() {
+	TeaGo.BeforeStart(func(server *TeaGo.Server) {
+		server.
+			Prefix("").
+			GetPost("/", new(IndexAction)).
+			GetPost("/index/otp", new(OtpAction)).
+			GetPost("/initPassword", new(InitPasswordAction)).
+			EndAll()
+	})
+}

EdgeAdmin/internal/web/actions/default/index/initPassword.go

@@ -0,0 +1,108 @@
+// Copyright 2024 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package index
+
+import (
+	"net/http"
+
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/systemconfigs"
+	"github.com/iwind/TeaGo/actions"
+)
+
+type InitPasswordAction struct {
+	actionutils.ParentAction
+}
+
+func (this *InitPasswordAction) Init() {
+	this.Nav("", "", "")
+}
+
+func (this *InitPasswordAction) RunGet(params struct{}) {
+	isNotInitialized, err := this.isNotInitialized()
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	if !isNotInitialized {
+		this.RedirectURL("/")
+		return
+	}
+
+	this.Data["username"] = "admin"
+	this.Data["password"] = ""
+
+	this.Show()
+}
+
+func (this *InitPasswordAction) RunPost(params struct {
+	Username string
+	Password string
+
+	Must *actions.Must
+	CSRF *actionutils.CSRF
+}) {
+	isNotInitialized, err := this.isNotInitialized()
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	if !isNotInitialized {
+		this.ResponseWriter.WriteHeader(http.StatusForbidden)
+		return
+	}
+
+	params.Must.
+		Field("username", params.Username).
+		Require("请输入登录用户名").
+		Match(`^[a-zA-Z0-9_]+$`, "用户名中只能包含英文、数字或下划线").
+		Field("password", params.Password).
+		Require("请输入密码")
+
+	// 查找ID
+	adminResp, err := this.RPC().AdminRPC().FindAdminWithUsername(this.AdminContext(), &pb.FindAdminWithUsernameRequest{Username: "admin" /** 固定的 **/})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	if adminResp.Admin == nil {
+		this.Fail("数据错误，请将数据库中的edgeAdmins表中的用户名修改为admin后再试")
+		return
+	}
+	var adminId = adminResp.Admin.Id
+
+	// 修改密码
+	_, err = this.RPC().AdminRPC().UpdateAdminLogin(this.AdminContext(), &pb.UpdateAdminLoginRequest{
+		AdminId:  adminId,
+		Username: params.Username,
+		Password: params.Password, // raw
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	// 修改为初始化完成
+	_, err = this.RPC().SysSettingRPC().UpdateSysSetting(this.AdminContext(), &pb.UpdateSysSettingRequest{
+		Code:      systemconfigs.SettingCodeStandaloneInstanceInitialized,
+		ValueJSON: []byte("1"),
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	this.Success()
+}
+
+func (this *InitPasswordAction) isNotInitialized() (bool, error) {
+	settingResp, err := this.RPC().SysSettingRPC().ReadSysSetting(this.AdminContext(), &pb.ReadSysSettingRequest{Code: systemconfigs.SettingCodeStandaloneInstanceInitialized})
+	if err != nil {
+		// 如果读取失败，可能是设置项不存在，视为未初始化
+		return true, nil
+	}
+	// 如果设置项不存在（空值）或值为 "0"，都视为未初始化
+	valueStr := string(settingResp.ValueJSON)
+	return len(valueStr) == 0 || valueStr == "0", nil
+}

EdgeAdmin/internal/web/actions/default/index/loginutils/utils.go

@@ -0,0 +1,111 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package loginutils
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
+	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
+	"github.com/TeaOSLab/EdgeCommon/pkg/iplibrary"
+	"github.com/iwind/TeaGo/actions"
+	stringutil "github.com/iwind/TeaGo/utils/string"
+	"net"
+	"net/http"
+	"regexp"
+	"strings"
+)
+
+// CalculateClientFingerprint 计算客户端指纹
+func CalculateClientFingerprint(action *actions.ActionObject) string {
+	return stringutil.Md5(RemoteIP(action) + "@" + action.Request.UserAgent())
+}
+
+// RemoteIP 获取客户端IP
+func RemoteIP(action *actions.ActionObject) string {
+	securityConfig, _ := configloaders.LoadSecurityConfig()
+
+	if securityConfig != nil {
+		if len(securityConfig.ClientIPHeaderNames) > 0 {
+			var headerNames = regexp.MustCompile(`[,;\s，、；]`).Split(securityConfig.ClientIPHeaderNames, -1)
+			for _, headerName := range headerNames {
+				headerName = http.CanonicalHeaderKey(strings.TrimSpace(headerName))
+				if len(headerName) == 0 {
+					continue
+				}
+
+				var ipValue = action.Request.Header.Get(headerName)
+				if net.ParseIP(ipValue) != nil {
+					return ipValue
+				}
+			}
+
+			if securityConfig.ClientIPHeaderOnly {
+				return ""
+			}
+		}
+	}
+
+	ip, _, _ := net.SplitHostPort(action.Request.RemoteAddr)
+	return ip
+}
+
+// LookupIPRegion 查找登录区域
+func LookupIPRegion(ip string) string {
+	if len(ip) == 0 {
+		return ""
+	}
+
+	var result = iplibrary.LookupIP(ip)
+	if result != nil && result.IsOk() {
+		// 这里不需要网络运营商信息
+		return result.CountryName() + "@" + result.ProvinceName() + "@" + result.CityName() + "@" + result.TownName()
+	}
+
+	return ""
+}
+
+// SetCookie 设置Cookie
+func SetCookie(action *actions.ActionObject, remember bool) {
+	if remember {
+		var cookie = &http.Cookie{
+			Name:     teaconst.CookieSID,
+			Value:    action.Session().Sid,
+			Path:     "/",
+			MaxAge:   14 * 86400,
+			HttpOnly: true,
+		}
+		if action.Request.TLS != nil {
+			cookie.SameSite = http.SameSiteStrictMode
+			cookie.Secure = true
+		}
+		action.AddCookie(cookie)
+	} else {
+		var cookie = &http.Cookie{
+			Name:     teaconst.CookieSID,
+			Value:    action.Session().Sid,
+			Path:     "/",
+			MaxAge:   0,
+			HttpOnly: true,
+		}
+		if action.Request.TLS != nil {
+			cookie.SameSite = http.SameSiteStrictMode
+			cookie.Secure = true
+		}
+		action.AddCookie(cookie)
+	}
+}
+
+// UnsetCookie 重置Cookie
+func UnsetCookie(action *actions.ActionObject) {
+	cookie := &http.Cookie{
+		Name:     teaconst.CookieSID,
+		Value:    action.Session().Sid,
+		Path:     "/",
+		MaxAge:   -1,
+		HttpOnly: true,
+	}
+	if action.Request.TLS != nil {
+		cookie.SameSite = http.SameSiteStrictMode
+		cookie.Secure = true
+	}
+	action.AddCookie(cookie)
+}

EdgeAdmin/internal/web/actions/default/index/otp.go

@@ -0,0 +1,160 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package index
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
+	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
+	"github.com/TeaOSLab/EdgeAdmin/internal/oplogs"
+	"github.com/TeaOSLab/EdgeAdmin/internal/rpc"
+	"github.com/TeaOSLab/EdgeAdmin/internal/setup"
+	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/index/loginutils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/helpers"
+	"github.com/TeaOSLab/EdgeCommon/pkg/langs/codes"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/iwind/TeaGo/actions"
+	"github.com/iwind/TeaGo/maps"
+	"github.com/iwind/TeaGo/rands"
+	stringutil "github.com/iwind/TeaGo/utils/string"
+	"github.com/xlzd/gotp"
+	"time"
+)
+
+type OtpAction struct {
+	actionutils.ParentAction
+}
+
+func (this *OtpAction) Init() {
+	this.Nav("", "", "")
+}
+
+func (this *OtpAction) RunGet(params struct {
+	From     string
+	Sid      string
+	Remember bool
+}) {
+	// 检查系统是否已经配置过
+	if !setup.IsConfigured() {
+		this.RedirectURL("/setup")
+		return
+	}
+
+	//// 是否新安装
+	if setup.IsNewInstalled() {
+		this.RedirectURL("/setup/confirm")
+		return
+	}
+
+	this.Data["isUser"] = false
+	this.Data["menu"] = "signIn"
+
+	var timestamp = fmt.Sprintf("%d", time.Now().Unix())
+	this.Data["token"] = stringutil.Md5(TokenKey+timestamp) + timestamp
+	this.Data["from"] = params.From
+	this.Data["sid"] = params.Sid
+
+	uiConfig, err := configloaders.LoadAdminUIConfig()
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	this.Data["systemName"] = uiConfig.AdminSystemName
+	this.Data["showVersion"] = uiConfig.ShowVersion
+	if len(uiConfig.Version) > 0 {
+		this.Data["version"] = uiConfig.Version
+	} else {
+		this.Data["version"] = teaconst.Version
+	}
+	this.Data["faviconFileId"] = uiConfig.FaviconFileId
+	this.Data["remember"] = params.Remember
+
+	this.Show()
+}
+
+func (this *OtpAction) RunPost(params struct {
+	Sid      string
+	OtpCode  string
+	Remember bool
+
+	Must *actions.Must
+	Auth *helpers.UserShouldAuth
+}) {
+	if len(params.OtpCode) == 0 {
+		this.FailField("otpCode", "请输入正确的OTP动态密码")
+		return
+	}
+
+	var sid = params.Sid
+	if len(sid) == 0 || len(sid) > 64 {
+		this.Fail("参数错误，请重新登录（001）")
+		return
+	}
+	sid += "_otp"
+
+	// 获取SESSION
+	sessionResp, err := this.RPC().LoginSessionRPC().FindLoginSession(this.AdminContext(), &pb.FindLoginSessionRequest{Sid: sid})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	var session = sessionResp.LoginSession
+	if session == nil || session.AdminId <= 0 {
+		this.Fail("参数错误，请重新登录（002）")
+		return
+	}
+	var adminId = session.AdminId
+
+	// 检查OTP
+	otpLoginResp, err := this.RPC().LoginRPC().FindEnabledLogin(this.AdminContext(), &pb.FindEnabledLoginRequest{
+		AdminId: adminId,
+		Type:    "otp",
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	if otpLoginResp.Login != nil && otpLoginResp.Login.IsOn {
+		var loginParams = maps.Map{}
+		err = json.Unmarshal(otpLoginResp.Login.ParamsJSON, &loginParams)
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+		var secret = loginParams.GetString("secret")
+		if gotp.NewDefaultTOTP(secret).Now() != params.OtpCode {
+			this.FailField("otpCode", "请输入正确的OTP动态密码")
+			return
+		}
+	}
+
+	// 写入SESSION
+	var localSid = rands.HexString(32)
+	this.Data["localSid"] = localSid
+	this.Data["ip"] = loginutils.RemoteIP(&this.ActionObject)
+	params.Auth.StoreAdmin(adminId, params.Remember, localSid)
+
+	// 删除OTP SESSION
+	_, err = this.RPC().LoginSessionRPC().DeleteLoginSession(this.AdminContext(), &pb.DeleteLoginSessionRequest{Sid: sid})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	// 记录日志
+	rpcClient, err := rpc.SharedRPC()
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(adminId), oplogs.LevelInfo, this.Request.URL.Path, this.Lang(codes.AdminLogin_LogOtpVerifiedSuccess), loginutils.RemoteIP(&this.ActionObject), codes.AdminLogin_LogOtpVerifiedSuccess, nil)
+	if err != nil {
+		utils.PrintError(err)
+	}
+
+	this.Success()
+}